US11354399B2 - Authentication of entitlement certificates - Google Patents
Authentication of entitlement certificatesDownload PDFInfo
- Publication number
- US11354399B2 US11354399B2US16/077,689US201716077689AUS11354399B2US 11354399 B2US11354399 B2US 11354399B2US 201716077689 AUS201716077689 AUS 201716077689AUS 11354399 B2US11354399 B2US 11354399B2
- Authority
- US
- United States
- Prior art keywords
- authorisation
- signing authority
- requests
- trusted
- administration
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active, expires
Links
Images
Classifications
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
Definitions
- D2Ddevice to device
- users or administratorscan authorise a set of actions that devices can perform based on user or device policy that dictates the actions such authorisations confer.
- a service provider devicecan contact a signing authority to authorise and produce an authentication certificate.
- the service provider devicecan access a policy decision point using, for example, an online connection to an infrastructure portal to use authorisation encoding.
- FIG. 1shows an apparatus for providing a set of certificates that encode authorisations according to an example:
- FIG. 2shows a flow chart of a method for providing a set of certificates that encode authorisations according to an example
- FIG. 3shows an apparatus according to an example.
- a method for an entitlement signing workflowto enable an administration device to collect multiple authorisation requests from devices wishing to use certain services or perform certain actions. That is, the administration device can collect multiple requests from devices wishing to obtain permission or authorization to use certain services or perform certain actions. Accordingly, certificates that encode these authorizations can be provided.
- the requesting deviceneed not have a persistent connection to an infrastructure as the certificate that encodes the permissions for the device can be requested and delivered by way of an administration apparatus that can act as an effective broker between the requesting device and a trusted certificate generating apparatus.
- authorisation rights or permissionscan be encoded in a certificate.
- the requests for authorisationare tied to an identity of a device through a digital signature. This is done by signing the request with the private key of a device's public key pair. It can then be forwarded from the administration device to a signing authority in a single set.
- the signed requests and their contentswhich can be authorisation request parameters defining the scope of an authorisation request, can be authenticated and certificates encoding one or more permissions generated for the devices.
- the certificatescan be transmitted to the devices using a different communication path to the one used to deliver the requests to the signing authority (which itself need not be secure as a result of the initial request signing).
- a requestcan be made using a low energy radio frequency communication protocol, and delivery of a certificate can be by made using a different radio frequency communication protocol such as WiFi for example.
- either or both of the request and delivery pathwayscan use other wireless and/or hardwired communication protocols or methods, near field communication and so on.
- an authorisation request parametercan provide an indication of the device's desired entitlement to use a service.
- a parametercan indicate whether read and/or write access to a service is requested, or if a device requests access to or use of a particular node in a network and so on.
- ASRauthorisation signing requests
- Devices that wish to generate authorisation signing requests (ASR), for use in a protocol using access control under a trusted third-party authoritycan leverage their pre-existing authenticated identity to sign their requests.
- These requestscan be transferred using any means (manually, over peer-to-peer networks, or over an infrastructure LAN or WLAN connection for example) to a signing authority.
- the authoritycan produce signed entitlements and these can be returned to the requesting devices.
- the disclosed method for provisioning devices with certificatesmeans that a device does not have to have an online connection to an infrastructure portal.
- the methodsare suitable even when a device, or a set of many devices, require signed entitlements and are not in a position to directly connect to a signing authority.
- the methodcan be used in scenarios where a service provider device does not have persistent access to a policy decision point, since the device can still benefit from authorization encoding.
- the process of generating the certificates encoding permissionsuses an administration apparatus as an intermediary to enable a device to indirectly make contact with a signing authority.
- an authorized administrator's devicecan be used to collect requests from devices and forward the requests to a signing authority. Certificates encoding the permissions that were requested by the device can be generated by the signing authority, and the resulting certificates can then be returned to the requesting devices over a channel, which may or may not be the same as the channel over which the requests were initially communicated.
- FIG. 1is a schematic representation of an apparatus for providing a set of certificates encoding one or more authorisations or permissions according to an example.
- Devices 100have pre-existing identity certificates that have been signed by a trusted third-party authority.
- the certificatescontains a unique verification key or device key 105 associated with a corresponding signing key.
- a devicewishes to request an authorisation 110 , it generates an authorisation request and signs the request with its private signing key.
- the requestcan no longer be modified without detection by the authority.
- Thisallows the request to be transported 115 via an administration apparatus 120 to a trusted signing authority 130 using any means since no security requirements need to be placed on the transport mechanism.
- the requestscan take any route from the requesting device to the authority.
- the authority 130When the authority 130 receives a request it verifies 135 the correctness of the signature as well as whether the authorisation(s) requested are acceptable. For example, the authority 130 can determine whether a requested authorisation accords with a set of allowable permissions for the device that may be preconfigured at the authority 130 and which may be periodically updated.
- the authorityIf both checks pass, the authority generates a certificate 140 encoding the or each requested authorisation. This certificate can be transported 145 , 150 via the administration apparatus 120 back to the requesting device 100 using any transport method.
- the requesting deviceUpon receiving the certificate, the requesting device verifies the authority's signature within the certificate and whether the authorisations signed were those requested. If all checks pass, the device has been successfully provisioned with authorisations.
- FIG. 2shows a flow chart of a method for providing a set of certificates according to an example.
- the trusted signing authority apparatusreceives a request for authorisation to use or access a service or apparatus (e.g. a printer or network node) via the administration apparatus from the one or more devices.
- the authorityverifies the digital signatures applied to the requests.
- one or more request parametersare validated.
- the authoritygenerates the certificates encoding the authorisations for each respective request from the one or more devices.
- the certificatesare transmitted via the administration apparatus back to the one or more devices that made the respective requests.
- the method for providing a set of certificates encoding authorisationsuses an administrator device provisioned with authorisations that allow it to read and write to a security policy held by a participating device.
- These administrator devicescan be mobile devices, such as phones and tablets, and can communicate with targets using a protocol such as Bluetooth Low Energy for example, which is a low energy radio frequency communication protocol.
- the mobile devicesmay not always have an infrastructure connection available to an administrator portal. Accordingly, using pre-existing authenticated device identities, these devices can generate temporary requests offline. These requests can be collected by, for example, an administrator and transported on foot to an infrastructure connected portal. This portal can then complete the remainder of the process.
- the methodenables a set of requests to be collated and delivered to a signing authority in a single batch.
- a signing authoritymay need to walk to an infrastructure connected machine. This is useful in a whole raft of office-of-the-future use cases. It enables a low-effort and seamless workflow for generating and authenticating short-lived entitlements for use in device administration, access and authorization protocols.
- the methodalso allows for any transport protocol or method to be used to generate an entitlement signing request and a corresponding certificate.
- This includes a sneakernet approachthat is, the transfer of electronic information by physically moving media comprising the information, such as magnetic tape, flash drives or external hard drives and so on, from one device to another), which in turn enables a bulk collection and collation of requests that can be ferried to an authority in one go.
- the methodis suitable for deployment over a variety of different transport protocols, ranging from full infrastructure communication protocols, to peer-to-peer protocols, to manual transport on a physical device.
- Examples in the present disclosurecan be provided as methods, systems or machine-readable instructions.
- Such machine-readable instructionsmay be included on a computer readable storage medium (including but not limited to disc storage, CD-ROM, optical storage, etc.) having computer readable program codes therein or thereon.
- the machine-readable instructionsmay, for example, be executed by a device, an administration apparatus, a trusted signing authority apparatus, a general-purpose computer, a special purpose computer, an embedded processor or processors of other programmable data processing devices to realize the functions described in the description and diagrams.
- a processor or processing apparatusmay execute the machine-readable instructions.
- modules of the administration apparatus or trusted signing authority apparatusmay be implemented by a processor executing machine readable instructions stored in a memory, or a processor operating in accordance with instructions embedded in logic circuitry.
- the term ‘processor’is to be interpreted broadly to include a CPU, processing unit, ASIC, logic unit, or programmable gate set etc. The methods and modules may all be performed by a single processor or divided amongst several processors.
- Such machine-readable instructionsmay also be stored in a computer readable storage that can guide the computer or other programmable data processing devices to operate in a specific mode.
- the instructionsmay be provided on a non-transitory computer readable storage medium encoded with instructions, executable by a processor.
- FIG. 3shows an example of an apparatus comprising a processor 350 associated with a memory 352 .
- the memory 352comprises computer readable instructions 354 which are executable by the processor 350 .
- the instructions 354comprise:
- Such machine-readable instructionsmay also be loaded onto a computer or other programmable data processing devices, so that the computer or other programmable data processing devices perform a series of operations to produce computer-implemented processing, thus the instructions executed on the computer or other programmable devices provide an operation for realizing functions specified by flow(s) in the flow charts and/or block(s) in the block diagrams.
- teachings hereinmay be implemented in the form of a computer software product, the computer software product being stored in a storage medium and comprising a plurality of instructions for making a computer device implement the methods recited in the examples of the present disclosure.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Automation & Control Theory (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
Description
In a device to device (D2D) computing environment such as a smart office or home, users or administrators can authorise a set of actions that devices can perform based on user or device policy that dictates the actions such authorisations confer. A service provider device can contact a signing authority to authorise and produce an authentication certificate. The service provider device can access a policy decision point using, for example, an online connection to an infrastructure portal to use authorisation encoding.
Various features of certain examples will be apparent from the detailed description which follows, taken in conjunction with the accompanying drawings, which together illustrate, by way of example only, a number of features, and wherein:
In the following description, for purposes of explanation, numerous specific details of certain examples are set forth. Reference in the specification to “an example” or similar language means that a particular feature, structure, or characteristic described in connection with the example is included in at least that one example, but not necessarily in other examples.
According to an example, there is provided a method for an entitlement signing workflow to enable an administration device to collect multiple authorisation requests from devices wishing to use certain services or perform certain actions. That is, the administration device can collect multiple requests from devices wishing to obtain permission or authorization to use certain services or perform certain actions. Accordingly, certificates that encode these authorizations can be provided. The requesting device need not have a persistent connection to an infrastructure as the certificate that encodes the permissions for the device can be requested and delivered by way of an administration apparatus that can act as an effective broker between the requesting device and a trusted certificate generating apparatus.
Therefore, according to an example, authorisation rights or permissions can be encoded in a certificate. The requests for authorisation are tied to an identity of a device through a digital signature. This is done by signing the request with the private key of a device's public key pair. It can then be forwarded from the administration device to a signing authority in a single set.
In an example, the signed requests and their contents, which can be authorisation request parameters defining the scope of an authorisation request, can be authenticated and certificates encoding one or more permissions generated for the devices. The certificates can be transmitted to the devices using a different communication path to the one used to deliver the requests to the signing authority (which itself need not be secure as a result of the initial request signing). For example, a request can be made using a low energy radio frequency communication protocol, and delivery of a certificate can be by made using a different radio frequency communication protocol such as WiFi for example. Alternatively, either or both of the request and delivery pathways can use other wireless and/or hardwired communication protocols or methods, near field communication and so on.
In an example, an authorisation request parameter can provide an indication of the device's desired entitlement to use a service. For example, a parameter can indicate whether read and/or write access to a service is requested, or if a device requests access to or use of a particular node in a network and so on.
Devices that wish to generate authorisation signing requests (ASR), for use in a protocol using access control under a trusted third-party authority can leverage their pre-existing authenticated identity to sign their requests. These requests can be transferred using any means (manually, over peer-to-peer networks, or over an infrastructure LAN or WLAN connection for example) to a signing authority. The authority can produce signed entitlements and these can be returned to the requesting devices.
The disclosed method for provisioning devices with certificates means that a device does not have to have an online connection to an infrastructure portal. The methods are suitable even when a device, or a set of many devices, require signed entitlements and are not in a position to directly connect to a signing authority.
The method can be used in scenarios where a service provider device does not have persistent access to a policy decision point, since the device can still benefit from authorization encoding. The process of generating the certificates encoding permissions uses an administration apparatus as an intermediary to enable a device to indirectly make contact with a signing authority.
In an example, an authorized administrator's device can be used to collect requests from devices and forward the requests to a signing authority. Certificates encoding the permissions that were requested by the device can be generated by the signing authority, and the resulting certificates can then be returned to the requesting devices over a channel, which may or may not be the same as the channel over which the requests were initially communicated.
When theauthority 130 receives a request it verifies135 the correctness of the signature as well as whether the authorisation(s) requested are acceptable. For example, theauthority 130 can determine whether a requested authorisation accords with a set of allowable permissions for the device that may be preconfigured at theauthority 130 and which may be periodically updated.
If both checks pass, the authority generates acertificate 140 encoding the or each requested authorisation. This certificate can be transported145,150 via theadministration apparatus 120 back to the requestingdevice 100 using any transport method.
Upon receiving the certificate, the requesting device verifies the authority's signature within the certificate and whether the authorisations signed were those requested. If all checks pass, the device has been successfully provisioned with authorisations.
In an example, the method for providing a set of certificates encoding authorisations uses an administrator device provisioned with authorisations that allow it to read and write to a security policy held by a participating device. These administrator devices can be mobile devices, such as phones and tablets, and can communicate with targets using a protocol such as Bluetooth Low Energy for example, which is a low energy radio frequency communication protocol. The mobile devices may not always have an infrastructure connection available to an administrator portal. Accordingly, using pre-existing authenticated device identities, these devices can generate temporary requests offline. These requests can be collected by, for example, an administrator and transported on foot to an infrastructure connected portal. This portal can then complete the remainder of the process.
According to an example, the method enables a set of requests to be collated and delivered to a signing authority in a single batch. Thus, only one member of an IT department, for example, may need to walk to an infrastructure connected machine. This is useful in a whole raft of office-of-the-future use cases. It enables a low-effort and seamless workflow for generating and authenticating short-lived entitlements for use in device administration, access and authorization protocols. The method also allows for any transport protocol or method to be used to generate an entitlement signing request and a corresponding certificate. This includes a sneakernet approach (that is, the transfer of electronic information by physically moving media comprising the information, such as magnetic tape, flash drives or external hard drives and so on, from one device to another), which in turn enables a bulk collection and collation of requests that can be ferried to an authority in one go.
The method is suitable for deployment over a variety of different transport protocols, ranging from full infrastructure communication protocols, to peer-to-peer protocols, to manual transport on a physical device.
Examples in the present disclosure can be provided as methods, systems or machine-readable instructions. Such machine-readable instructions may be included on a computer readable storage medium (including but not limited to disc storage, CD-ROM, optical storage, etc.) having computer readable program codes therein or thereon.
The present disclosure is described with reference to flow charts and/or block diagrams of the method, devices and systems according to examples of the present disclosure. Although the flow diagrams described above show a specific order of execution, the order of execution may differ from that which is depicted. Blocks described in relation to one flow chart may be combined with those of another flow chart. In some examples, some blocks of the flow diagrams may not be necessary and/or additional blocks may be added. It shall be understood that each flow and/or block in the flow charts and/or block diagrams, as well as combinations of the flows and/or diagrams in the flow charts and/or block diagrams can be realized by machine readable instructions.
The machine-readable instructions may, for example, be executed by a device, an administration apparatus, a trusted signing authority apparatus, a general-purpose computer, a special purpose computer, an embedded processor or processors of other programmable data processing devices to realize the functions described in the description and diagrams. In particular, a processor or processing apparatus may execute the machine-readable instructions. Thus, modules of the administration apparatus or trusted signing authority apparatus may be implemented by a processor executing machine readable instructions stored in a memory, or a processor operating in accordance with instructions embedded in logic circuitry. The term ‘processor’ is to be interpreted broadly to include a CPU, processing unit, ASIC, logic unit, or programmable gate set etc. The methods and modules may all be performed by a single processor or divided amongst several processors.
Such machine-readable instructions may also be stored in a computer readable storage that can guide the computer or other programmable data processing devices to operate in a specific mode.
For example, the instructions may be provided on a non-transitory computer readable storage medium encoded with instructions, executable by a processor.
Instructions to receive requests;
Instruction to verify digital signatures applied to the requests by the devices;
Instructions to validate one or more request parameter(s);
Instructions to generate certificates; and
Instructions to transmit certificates.
Such machine-readable instructions may also be loaded onto a computer or other programmable data processing devices, so that the computer or other programmable data processing devices perform a series of operations to produce computer-implemented processing, thus the instructions executed on the computer or other programmable devices provide an operation for realizing functions specified by flow(s) in the flow charts and/or block(s) in the block diagrams.
Further, the teachings herein may be implemented in the form of a computer software product, the computer software product being stored in a storage medium and comprising a plurality of instructions for making a computer device implement the methods recited in the examples of the present disclosure.
While the method, apparatus and related aspects have been described with reference to certain examples, various modifications, changes, omissions, and substitutions can be made without departing from the spirit of the present disclosure. In particular, a feature or block from one example may be combined with or substituted by a feature/block of another example.
The word “comprising” does not exclude the presence of elements other than those listed in a claim, “a” or “an” does not exclude a plurality, and a single processor or other unit may fulfil the functions of several units recited in the claims.
The features of any dependent claim may be combined with the features of any of the independent claims or other dependent claims.
Claims (16)
1. A method comprising:
receiving, at a trusted signing authority apparatus from an administration apparatus over a first communication link between the trusted signing authority apparatus and the administration apparatus, authorisation requests collected in a batch by the administration apparatus from respective multiple devices that are requesting authorisations to use services;
processing, at the trusted signing authority apparatus, the authorisation requests received in the batch from the administration apparatus, and verifying, at the trusted signing authority apparatus, respective digital signatures applied to the authorisation requests using signing keys associated with corresponding identity certificates at respective devices of the multiple devices;
validating, at the trusted signing authority apparatus, respective authorisation request parameters of the authorisation requests received in the batch from the administration apparatus;
generating, at the trusted signing authority apparatus, a certificate encoding an authorisation requested by a device of the multiple devices; and
transmitting, from the trusted signing authority apparatus, the generated certificate to the administration apparatus or the device over a second communication link.
2. The method ofclaim 1 , wherein an authorisation request parameter of the authorisation request parameters comprises an indication of an entitlement to use a service by the device.
3. The method ofclaim 1 , wherein a signing key of the signing keys comprises a private key of a device public key pair.
4. The method ofclaim 1 , further comprising signing an identity certificate, of the identity certificates, for the device.
5. The method ofclaim 1 , further comprising collating, at the trusted signing authority apparatus, a set of generated certificates for transmission to the administration apparatus.
6. The method ofclaim 1 , wherein the administration apparatus is a mobile device.
7. The method ofclaim 1 , wherein an authorisation request parameter of a first authorisation request of the authorisation requests indicates a service requested by a first device of the devices.
8. A device comprising:
a processor; and
a non-transitory storage medium storing instructions executable on the processor to:
generate an authorisation request for a certificate encoding an authorisation;
sign the authorisation request using a signing key associated with an identity certificate of the device;
transmit the signed authorisation request to an administration device for collating the signed authorisation request of the device with signed authorisation requests of other devices to form a batch of authorisation requests;
receive, at the device, the certificate encoding the authorisation and generated by a signing authority apparatus in response to a verification of the batch of authorisation requests by the signing authority apparatus responsive to the batch of authorisation requests being forwarded by the administration device to the signing authority apparatus; and
verify, at the device, whether the authorisation encoded in the certificate was requested by the device in the authorisation request.
9. The device ofclaim 8 , wherein the instructions are executable on the processor to:
apply a digital signature to the authorisation request using a private key of a device public key pair to sign the authorisation request, wherein the signing key comprises the private key.
10. The device ofclaim 8 , wherein the instructions are executable on the processor to:
determine that the device has been successfully provisioned with the authorisation to use a service in response to verifying that the authorisation encoded in the certificate was requested by the device in the authorisation request.
11. The device ofclaim 10 , wherein the authorisation to use the service comprises an authorisation to use a service of a printer.
12. A non-transitory machine-readable storage medium comprising instructions executable on a processor of a trusted signing authority apparatus to cause the trusted signing authority apparatus to:
receive, at the trusted signing authority apparatus from an administration apparatus over a first communication link between the trusted signing authority apparatus and the administration apparatus, authorisation requests collected in a batch by the administration apparatus from respective multiple different devices that are requesting authorisations to use services;
process, at the trusted signing authority apparatus, the authorisation requests, received in the batch from the administration apparatus and verify, at the trusted signing authority apparatus, respective digital signatures applied to the authorisation requests using signing keys associated with corresponding identity certificates at respective devices of the multiple devices;
validate, at the trusted signing authority apparatus, respective authorisation request parameters of the authorisation requests received in the batch from the administration apparatus;
generate, at the trusted signing authority apparatus, a certificate encoding an authorisation requested by a device of the multiple different devices; and
transmit, from the trusted signing authority apparatus, the generated certificate to the administration apparatus or the device over a second communication link.
13. The non-transitory machine-readable storage medium ofclaim 12 ,
wherein a signing key of the signing keys comprises a private key of a device public key pair.
14. The non-transitory machine-readable storage medium ofclaim 12 , comprising instructions executable to cause the trusted signing authority apparatus:
collate a set of generated certificates for transmission to the administration apparatus.
15. The non-transitory machine-readable storage medium ofclaim 12 , wherein the administration apparatus is a mobile device.
16. The non-transitory machine-readable storage medium ofclaim 12 , wherein an authorisation request parameter of a first authorisation request of the authorisation requests indicates a service requested by a first device of the multiple different devices.
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/US2017/042412WO2019017883A1 (en) | 2017-07-17 | 2017-07-17 | Authentication of entitlement certificates |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| US20210200856A1 US20210200856A1 (en) | 2021-07-01 |
| US11354399B2true US11354399B2 (en) | 2022-06-07 |
Family
ID=65016087
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| US16/077,689Active2039-12-29US11354399B2 (en) | 2017-07-17 | 2017-07-17 | Authentication of entitlement certificates |
Country Status (2)
| Country | Link |
|---|---|
| US (1) | US11354399B2 (en) |
| WO (1) | WO2019017883A1 (en) |
Citations (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030023880A1 (en)* | 2001-07-27 | 2003-01-30 | Edwards Nigel John | Multi-domain authorization and authentication |
| US20040025022A1 (en) | 2000-09-21 | 2004-02-05 | Yach David P | Code signing system and method |
| US20070094493A1 (en)* | 2005-10-21 | 2007-04-26 | Ali Valiuddin Y | Digital certificate that indicates a parameter of an associated cryptographic token |
| US20090249071A1 (en) | 2008-03-04 | 2009-10-01 | Apple Inc. | Managing code entitlements for software developers in secure operating environments |
| US20100150353A1 (en) | 2008-12-11 | 2010-06-17 | International Business Machines Corporation | Secure method and apparatus to verify personal identity over a network |
| US20110247055A1 (en)* | 2008-06-02 | 2011-10-06 | Microsoft Corporation | Trusted device-specific authentication |
| US8312262B2 (en) | 2004-04-30 | 2012-11-13 | Qualcomm Incorporated | Management of signing privileges for a cryptographic signing service |
| US20130326215A1 (en)* | 2012-06-05 | 2013-12-05 | Cleversafe, Inc. | Establishing trust within a cloud computing system |
| US20140164764A1 (en) | 2012-12-11 | 2014-06-12 | Rawllin International Inc. | Assignment of digital signature and qualification for related services |
| US20140195800A1 (en)* | 2013-01-09 | 2014-07-10 | Digicert, Inc. | Certificate Information Verification System |
| RU2522024C2 (en) | 2012-10-15 | 2014-07-10 | Общество С Ограниченной Ответственностью "Лаборатория Эландис" | Method of signing electronic documents with analogue-digital signature with additional verification |
| US20150172064A1 (en)* | 2013-12-13 | 2015-06-18 | Fujitsu Limited | Method and relay device for cryptographic communication |
| US9104541B2 (en) | 2011-10-04 | 2015-08-11 | Cleversafe, Inc. | Obtaining a signed certificate for a dispersed storage network |
| US9223789B1 (en)* | 2013-03-14 | 2015-12-29 | Amazon Technologies, Inc. | Range retrievals from archived data objects according to a predefined hash tree schema |
| US20160156477A1 (en)* | 2014-11-27 | 2016-06-02 | International Business Machines Corporation | Managing time-dependent electronic files |
| US20160337127A1 (en) | 2015-05-14 | 2016-11-17 | Verizon Patent And Licensing Inc. | IoT COMMUNICATION UTILIZING SECURE ASYNCHRONOUS P2P COMMUNICATION AND DATA EXCHANGE |
| WO2017053835A1 (en)* | 2015-09-23 | 2017-03-30 | Viasat, Inc. | Acceleration of online certificate status checking with an internet hinting service |
| US20170214759A1 (en)* | 2016-01-25 | 2017-07-27 | Dell Software, Inc. | Optimizer module in high load client/server systems |
| US20170288883A1 (en)* | 2016-03-30 | 2017-10-05 | Airwatch Llc | Certificate distribution using derived credentials |
| US20210152372A1 (en)* | 2019-11-18 | 2021-05-20 | Microsoft Technology Licensing, Llc | Achieving certificate pinning security in reduced trust networks |
| US11146406B2 (en)* | 2017-07-26 | 2021-10-12 | Hewlett-Packard Development Company, L.P. | Managing entitlement |
- 2017
- 2017-07-17WOPCT/US2017/042412patent/WO2019017883A1/ennot_activeCeased
- 2017-07-17USUS16/077,689patent/US11354399B2/enactiveActive
Patent Citations (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040025022A1 (en) | 2000-09-21 | 2004-02-05 | Yach David P | Code signing system and method |
| US20030023880A1 (en)* | 2001-07-27 | 2003-01-30 | Edwards Nigel John | Multi-domain authorization and authentication |
| US8312262B2 (en) | 2004-04-30 | 2012-11-13 | Qualcomm Incorporated | Management of signing privileges for a cryptographic signing service |
| US20070094493A1 (en)* | 2005-10-21 | 2007-04-26 | Ali Valiuddin Y | Digital certificate that indicates a parameter of an associated cryptographic token |
| US20090249071A1 (en) | 2008-03-04 | 2009-10-01 | Apple Inc. | Managing code entitlements for software developers in secure operating environments |
| US20110247055A1 (en)* | 2008-06-02 | 2011-10-06 | Microsoft Corporation | Trusted device-specific authentication |
| US20100150353A1 (en) | 2008-12-11 | 2010-06-17 | International Business Machines Corporation | Secure method and apparatus to verify personal identity over a network |
| US9104541B2 (en) | 2011-10-04 | 2015-08-11 | Cleversafe, Inc. | Obtaining a signed certificate for a dispersed storage network |
| US20130326215A1 (en)* | 2012-06-05 | 2013-12-05 | Cleversafe, Inc. | Establishing trust within a cloud computing system |
| RU2522024C2 (en) | 2012-10-15 | 2014-07-10 | Общество С Ограниченной Ответственностью "Лаборатория Эландис" | Method of signing electronic documents with analogue-digital signature with additional verification |
| US20140164764A1 (en) | 2012-12-11 | 2014-06-12 | Rawllin International Inc. | Assignment of digital signature and qualification for related services |
| US20140195800A1 (en)* | 2013-01-09 | 2014-07-10 | Digicert, Inc. | Certificate Information Verification System |
| US9223789B1 (en)* | 2013-03-14 | 2015-12-29 | Amazon Technologies, Inc. | Range retrievals from archived data objects according to a predefined hash tree schema |
| US20150172064A1 (en)* | 2013-12-13 | 2015-06-18 | Fujitsu Limited | Method and relay device for cryptographic communication |
| US20160156477A1 (en)* | 2014-11-27 | 2016-06-02 | International Business Machines Corporation | Managing time-dependent electronic files |
| US20160337127A1 (en) | 2015-05-14 | 2016-11-17 | Verizon Patent And Licensing Inc. | IoT COMMUNICATION UTILIZING SECURE ASYNCHRONOUS P2P COMMUNICATION AND DATA EXCHANGE |
| WO2017053835A1 (en)* | 2015-09-23 | 2017-03-30 | Viasat, Inc. | Acceleration of online certificate status checking with an internet hinting service |
| US20170214759A1 (en)* | 2016-01-25 | 2017-07-27 | Dell Software, Inc. | Optimizer module in high load client/server systems |
| US20170288883A1 (en)* | 2016-03-30 | 2017-10-05 | Airwatch Llc | Certificate distribution using derived credentials |
| US11146406B2 (en)* | 2017-07-26 | 2021-10-12 | Hewlett-Packard Development Company, L.P. | Managing entitlement |
| US20210152372A1 (en)* | 2019-11-18 | 2021-05-20 | Microsoft Technology Licensing, Llc | Achieving certificate pinning security in reduced trust networks |
Non-Patent Citations (1)
| Title |
|---|
| Chandler, "DigiCert Launches Digital Certificate Auto-Provisioning for IoT Devices", Retrieved from Internet—https://www.digicert.com/news/2017-02-06-digicert-launches-auto-provisioning-for-iot-devices/, Feb. 6, 2017, 3 Pages. |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2019017883A1 (en) | 2019-01-24 |
| US20210200856A1 (en) | 2021-07-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11956371B2 (en) | Recursive token binding for cascaded service calls | |
| KR101883156B1 (en) | System and method for authentication, user terminal, authentication server and service server for executing the same | |
| US11539526B2 (en) | Method and apparatus for managing user authentication in a blockchain network | |
| EP3602991B1 (en) | Mechanism for achieving mutual identity verification via one-way application-device channels | |
| CN104021333B (en) | Mobile security watch bag | |
| US10404680B2 (en) | Method for obtaining vetted certificates by microservices in elastic cloud environments | |
| CN111639327B (en) | An open platform authentication method and device | |
| US20230163967A1 (en) | Decentralized authorization of user access requests in a multi-tenant distributed service architecture | |
| US9197420B2 (en) | Using information in a digital certificate to authenticate a network of a wireless access point | |
| CN116170803B (en) | System and method for securely managing vehicle information | |
| CN114175578B (en) | Secure sharing of private information | |
| CN115758444A (en) | Method and system for realizing block chain | |
| EP3535724A1 (en) | Verifying an association between a communication device and a user | |
| WO2013104143A1 (en) | Authentication method and system oriented to heterogeneous network | |
| CN111049806B (en) | Joint authority control method and device, electronic equipment and storage medium | |
| US10846392B2 (en) | Remote processing of credential requests | |
| KR102135856B1 (en) | Method for certificating node of public blockchain, apparatus and system for executing the method | |
| US12231576B2 (en) | Secure digital signing of a document | |
| WO2018005238A1 (en) | Multi-hop secure content routing based on cryptographic partial blind signatures and embedded terms | |
| CN112910660A (en) | Certificate issuing method, adding method and transaction processing method of blockchain system | |
| CN116074023A (en) | Authentication method and communication device | |
| CN112235290A (en) | Block chain-based Internet of things equipment management method and first Internet of things equipment | |
| CN107016267B (en) | Resource operation method and system in offline state | |
| US11354399B2 (en) | Authentication of entitlement certificates | |
| US20240235835A1 (en) | Computing systems and methods for protecting application programming interfaces with two-factor authentication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| FEPP | Fee payment procedure | Free format text:ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY | |
| AS | Assignment | Owner name:HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P., TEXAS Free format text:ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:SCHIFFMAN, JOSHUA SERRATELLI;MATHER, LUKE T;MOHRMAN, CHRIS;SIGNING DATES FROM 20170829 TO 20180715;REEL/FRAME:047335/0818 | |
| STPP | Information on status: patent application and granting procedure in general | Free format text:NON FINAL ACTION MAILED | |
| STPP | Information on status: patent application and granting procedure in general | Free format text:RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER | |
| STPP | Information on status: patent application and granting procedure in general | Free format text:FINAL REJECTION MAILED | |
| STPP | Information on status: patent application and granting procedure in general | Free format text:DOCKETED NEW CASE - READY FOR EXAMINATION | |
| STPP | Information on status: patent application and granting procedure in general | Free format text:NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS | |
| STPP | Information on status: patent application and granting procedure in general | Free format text:PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED | |
| STCF | Information on status: patent grant | Free format text:PATENTED CASE |